Fix installer delete for v2

This commit adds the Tenant service delete function to the private api
for use by the installer and improves the installer delete functionality
for deleting ECR images from all service repositories, properly deleting
tenants (and only active tenants), and deleting Active Directory
resources when created.

Author: PoeppingT

installer/src/main/java/com/amazon/aws/partners/saasfactory/saasboost/SaaSBoostInstall.java

@@ -50,6 +50,7 @@
 import software.amazon.awssdk.services.s3.model.*;
 import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;
 import software.amazon.awssdk.services.secretsmanager.model.CreateSecretRequest;
+import software.amazon.awssdk.services.secretsmanager.model.ResourceNotFoundException;
 import software.amazon.awssdk.services.secretsmanager.model.SecretsManagerException;
 import software.amazon.awssdk.services.ssm.SsmClient;
 import software.amazon.awssdk.services.ssm.model.*;
@@ -526,15 +527,20 @@ protected void deleteSaasBoostInstallation() {
         List<LinkedHashMap<String, Object>> tenants = getProvisionedTenants();
         for (LinkedHashMap<String, Object> tenant : tenants) {
             outputMessage("Deleting AWS SaaS Boost tenant " + tenant.get("id"));
-            deleteProvisionedTenant(tenant);
+            if ((Boolean) tenant.get("active")) {
+                LOGGER.debug("Deleting active tenant", tenant);
+                deleteProvisionedTenant(tenant);
+            } else {
+                LOGGER.debug("Not deleting inactive tenant: ", tenant);
+            }
         }
 
         // Clear all the images from ECR or CloudFormation won't be able to delete the repository
         try {
-            GetParameterResponse parameterResponse = ssm.getParameter(request -> request.name("/saas-boost/" + this.envName + "/ECR_REPO"));
-            String ecrRepo = parameterResponse.parameter().value();
-            outputMessage("Deleting images from ECR repository " + ecrRepo);
-            deleteEcrImages(ecrRepo);
+            for (String ecrRepo : getEcrRepositories()) {
+                outputMessage("Deleting images from ECR repository " + ecrRepo);
+                deleteEcrImages(ecrRepo);
+            }
         } catch (SdkServiceException ssmError) {
             LOGGER.error("ssm:GetParameter error", ssmError);
             LOGGER.error(getFullStackTrace(ssmError));
@@ -555,6 +561,26 @@ protected void deleteSaasBoostInstallation() {
         outputMessage("Deleting AWS SaaS Boost stack: " + this.stackName);
         deleteCloudFormationStack(this.stackName);
 
+        // Delete the ActiveDirectory Password in SSM if it exists
+        try {
+            ssm.deleteParameter(request -> request
+                .name("/saas-boost/" + envName + "/ACTIVE_DIRECTORY_PASSWORD")
+                .build());
+            outputMessage("ActiveDirectory SSM secret deleted.");
+        } catch (ParameterNotFoundException pnfe) {
+            // there is no ACTIVE_DIRECTORY_PASSWORD parameter, so there is nothing to delete
+        }
+        // Delete the ActiveDirectory password in SecretsManager if it exists
+        try {
+            secretsManager.deleteSecret(request -> request
+                .forceDeleteWithoutRecovery(true)
+                .secretId("/saas-boost/" + envName + "/ACTIVE_DIRECTORY_PASSWORD")
+                .build());
+            outputMessage("ActiveDirectory secretsManager secret deleted.");
+        } catch (ResourceNotFoundException rnfe) {
+            // there is no ACTIVE_DIRECTORY_PASSWORD secret, so there is nothing to delete
+        }
+
         // Finally, remove the S3 artifacts bucket that this installer created outside of CloudFormation
         LOGGER.info("Clean up s3 bucket: " + saasBoostArtifactsBucket);
         cleanUpS3(saasBoostArtifactsBucket.getBucketName(), null);
@@ -578,6 +604,49 @@ protected void deleteSaasBoostInstallation() {
         outputMessage("Delete of SaaS Boost environment " + this.envName + " complete.");
     }
 
+    private List<String> getEcrRepositories() {
+        List<String> repos = new ArrayList<>();
+        try {
+            Map<String, Object> systemApiRequest = new HashMap<>();
+            Map<String, Object> detail = new HashMap<>();
+            detail.put("resource", "settings/config");
+            detail.put("method", "GET");
+            systemApiRequest.put("detail", detail);
+            final ObjectMapper mapper = new ObjectMapper();
+            final byte[] payload = mapper.writeValueAsBytes(systemApiRequest);
+            try {
+                LOGGER.info("Invoking getSettings API");
+                InvokeResponse response = lambda.invoke(request -> request
+                        .functionName("sb-" + this.envName + "-private-api-client")
+                        .invocationType(InvocationType.REQUEST_RESPONSE)
+                        .payload(SdkBytes.fromByteArray(payload))
+                );
+                if (response.sdkHttpResponse().isSuccessful()) {
+                    LOGGER.error("got response back: {}", response);
+                    String configJson = response.payload().asUtf8String();
+                    HashMap<String, Object> config = mapper.readValue(configJson, HashMap.class);
+                    HashMap<String, Object> services = (HashMap<String, Object>) config.get("services");
+                    for (String serviceName : services.keySet()) {
+                        HashMap<String, Object> service = (HashMap<String, Object>) services.get(serviceName);
+                        repos.add((String) service.get("containerRepo"));
+                    }
+                } else {
+                    LOGGER.warn("Private API client Lambda returned HTTP " + response.sdkHttpResponse().statusCode());
+                    throw new RuntimeException(response.sdkHttpResponse().statusText().get());
+                }
+            } catch (SdkServiceException lambdaError) {
+                LOGGER.error("lambda:Invoke error", lambdaError);
+                LOGGER.error(getFullStackTrace(lambdaError));
+                throw lambdaError;
+            }
+        } catch (IOException jacksonError) {
+            LOGGER.error("Error processing JSON", jacksonError);
+            LOGGER.error(getFullStackTrace(jacksonError));
+            throw new RuntimeException(jacksonError);
+        }
+        return repos;
+    }
+
     protected void installAnalyticsModule() {
         LOGGER.info("Installing Analytics module into existing AWS SaaS Boost installation.");
         outputMessage("Analytics will be deployed into the existing AWS SaaS Boost environment " + this.envName + ".");
@@ -959,15 +1028,72 @@ protected void deleteApplicationConfig() {
     }
 
     protected void deleteProvisionedTenant(LinkedHashMap<String, Object> tenant) {
-        // Arguably, the delete tenant API should be called here, but all it currently does is set the tenant status
-        // to disabled and then fire off an async event to delete the CloudFormation stack. We could do that, but we'd
-        // still need to either subscribe to the SNS topic for DELETE_COMPLETE notification or we'd need to cycle on
-        // describe stacks like we do elsewhere to wait for CloudFormation to finish. In either case, we need to know
-        // the stack name for the tenant.
-        // Also, this won't scale super well and could be parallelized...
-        String tenantStackName = "Tenant-" + ((String) tenant.get("id")).split("-")[0];
-        outputMessage("Deleteing tenant CloudFormation stack " + tenantStackName);
-        deleteCloudFormationStack(tenantStackName);
+        // TODO we can parallelize to improve performance with lots of tenants
+        String tenantStackId = (String) ((HashMap<String, Object>)((HashMap<String, Object>) tenant.get("resources")).get("CLOUDFORMATION")).get("arn");
+        final ObjectMapper mapper = new ObjectMapper();
+        try {
+            Map<String, Object> systemApiRequest = new HashMap<>();
+            Map<String, Object> detail = new HashMap<>();
+            detail.put("resource", "tenants/" + (String) tenant.get("id"));
+            detail.put("method", "DELETE");
+            Map<String, String> tenantIdOnly = new HashMap<>();
+            tenantIdOnly.put("id", (String) tenant.get("id"));
+            detail.put("body", mapper.writeValueAsString(tenantIdOnly));
+            systemApiRequest.put("detail", detail);
+            final byte[] payload = mapper.writeValueAsBytes(systemApiRequest);
+            try {
+                LOGGER.info("Invoking delete tenant API");
+                InvokeResponse response = lambda.invoke(request -> request
+                        .functionName("sb-" + this.envName + "-private-api-client")
+                        .invocationType(InvocationType.REQUEST_RESPONSE)
+                        .payload(SdkBytes.fromByteArray(payload))
+                );
+                if (response.sdkHttpResponse().isSuccessful()) {
+                    LOGGER.error("got response back: {}", response);
+                    // wait for tenant CloudFormation stack to reach deleted
+                    boolean waiting = true;
+                    while (waiting) {
+                        DescribeStacksResponse stackStatusResponse = cfn.describeStacks(request -> request.stackName(tenantStackId));
+                        StackStatus stackStatus = stackStatusResponse.stacks().get(0).stackStatus();
+                        switch (stackStatus) {
+                            case DELETE_COMPLETE:
+                            case DELETE_FAILED: {
+                                waiting = false;
+                                break;
+                            }
+                            case DELETE_IN_PROGRESS: {
+                                outputMessage("Waiting 1 minute for " + tenantStackId + " to finish deleting.");
+                                try {
+                                    Thread.sleep(60 * 1000);
+                                } catch (InterruptedException e) {
+
+                                }
+                            }
+                            default: {
+                                outputMessage("Unexpected stackStatus " + stackStatus + " while waiting for " + tenantStackId + " to finish deleting.");
+                                outputMessage("Waiting 1 minute for " + tenantStackId + " to finish deleting.");
+                                try {
+                                    Thread.sleep(60 * 1000);
+                                } catch (InterruptedException e) {
+
+                                }
+                            }
+                        }
+                    }
+                } else {
+                    LOGGER.warn("Private API client Lambda returned HTTP " + response.sdkHttpResponse().statusCode());
+                    throw new RuntimeException(response.sdkHttpResponse().statusText().get());
+                }
+            } catch (SdkServiceException lambdaError) {
+                LOGGER.error("lambda:Invoke error", lambdaError);
+                LOGGER.error(getFullStackTrace(lambdaError));
+                throw lambdaError;
+            }
+        } catch (IOException jacksonError) {
+            LOGGER.error("Error processing JSON", jacksonError);
+            LOGGER.error(getFullStackTrace(jacksonError));
+            throw new RuntimeException(jacksonError);
+        }
     }
 
     protected void deleteEcrImages(String ecrRepo) {

layers/apigw-helper/src/main/java/com/amazon/aws/partners/saasfactory/saasboost/ApiGatewayHelper.java

@@ -32,11 +32,10 @@
 import software.amazon.awssdk.core.retry.backoff.BackoffStrategy;
 import software.amazon.awssdk.core.retry.conditions.RetryCondition;
 import software.amazon.awssdk.http.*;
-import software.amazon.awssdk.http.apache.ApacheHttpClient;
+import software.amazon.awssdk.http.urlconnection.UrlConnectionHttpClient;
 import software.amazon.awssdk.regions.Region;
 import software.amazon.awssdk.services.sts.StsClient;
 import software.amazon.awssdk.services.sts.model.AssumeRoleResponse;
-import software.amazon.awssdk.services.sts.model.AssumedRoleUser;
 import software.amazon.awssdk.services.sts.model.Credentials;
 import software.amazon.awssdk.utils.StringInputStream;
 
@@ -56,8 +55,7 @@ public class ApiGatewayHelper {
     private static final String AWS_REGION = System.getenv("AWS_REGION");
     private static final String SAAS_BOOST_ENV = System.getenv("SAAS_BOOST_ENV");
     private static final Aws4Signer SIG_V4 = Aws4Signer.create();
-    private static SdkHttpClient HTTP_CLIENT = ApacheHttpClient.builder().build();
-    //private static final StsClient sts = Utils.sdkClient(StsClient.builder(), StsClient.SERVICE_NAME);
+    private static SdkHttpClient HTTP_CLIENT = UrlConnectionHttpClient.create();
     private static final StsClient sts = StsClient.builder()
             .httpClient(HTTP_CLIENT)
             .credentialsProvider(EnvironmentVariableCredentialsProvider.create())
@@ -97,17 +95,6 @@ private static String executeApiRequest(SdkHttpFullRequest apiRequest, SdkHttpFu
         HttpExecuteRequest.Builder requestBuilder = HttpExecuteRequest.builder().request(signedApiRequest != null ? signedApiRequest : apiRequest);
         apiRequest.contentStreamProvider().ifPresent(c -> requestBuilder.contentStreamProvider(c));
         HttpExecuteRequest apiExecuteRequest = requestBuilder.build();
-
-//        StringBuilder buffer = new StringBuilder();
-//        for (Map.Entry<String, List<String>> header : apiExecuteRequest.httpRequest().headers().entrySet()) {
-//            buffer.append(header.getKey());
-//            buffer.append(": ");
-//            buffer.append(header.getValue());
-//            buffer.append("\n");
-//        }
-//        LOGGER.info(buffer.toString());
-
-        LOGGER.info("Calling REST API " + apiExecuteRequest.httpRequest().getUri());
         BufferedReader responseReader = null;
         String responseBody;
         try {

resources/saas-boost-private-api.yaml

@@ -40,6 +40,9 @@ Parameters:
   TenantServiceGetAll:
     Description: Tenant Service get all tenants Lambda ARN
     Type: String
+  TenantServiceDelete:
+    Description: Tenant Service delete tenant Lambda ARN
+    Type: String
   SettingsServiceGetAll:
     Description: Settings Service get all settings Lambda ARN
     Type: String
@@ -201,6 +204,32 @@ Resources:
       Action: lambda:InvokeFunction
       FunctionName: !Ref TenantServiceGetAll
       SourceArn: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${PrivateApi}/*/GET/tenants
+  TenantServiceDeleteMethod:
+    Type: AWS::ApiGateway::Method
+    Properties:
+      RestApiId: !Ref PrivateApi
+      ResourceId: !Ref TenantServiceByIdResource
+      HttpMethod: DELETE
+      AuthorizationType: AWS_IAM
+      RequestParameters: {method.request.path.id: true}
+      Integration:
+        Type: AWS_PROXY
+        IntegrationHttpMethod: POST
+        Uri: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${TenantServiceDelete}/invocations
+        PassthroughBehavior: WHEN_NO_MATCH
+        RequestParameters: {integration.request.path.id: 'method.request.path.id'}
+      MethodResponses:
+        - StatusCode: '200'
+          ResponseModels: {application/json: Empty}
+          ResponseParameters:
+            method.response.header.Access-Control-Allow-Origin: false
+  TenantServiceDeleteLambdaPermission:
+    Type: AWS::Lambda::Permission
+    Properties:
+      Principal: apigateway.amazonaws.com
+      Action: lambda:InvokeFunction
+      FunctionName: !Ref TenantServiceDelete
+      SourceArn: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${PrivateApi}/*/DELETE/tenants/{id}
   TenantServiceInsertMethod:
     Type: AWS::ApiGateway::Method
     Properties:
@@ -255,6 +284,36 @@ Resources:
             method.response.header.Access-Control-Allow-Origin: false
             method.response.header.Access-Control-Max-Age: false
             method.response.header.X-Requested-With: false
+  TenantServiceByIdResourceCORS:
+    Type: AWS::ApiGateway::Method
+    Properties:
+      RestApiId: !Ref PrivateApi
+      ResourceId: !Ref TenantServiceByIdResource
+      HttpMethod: OPTIONS
+      AuthorizationType: NONE
+      Integration:
+        Type: MOCK
+        PassthroughBehavior: WHEN_NO_MATCH
+        IntegrationResponses:
+          - StatusCode: '200'
+            ResponseTemplates: {application/json: ''}
+            ResponseParameters:
+              method.response.header.Access-Control-Allow-Headers: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'"
+              method.response.header.Access-Control-Allow-Methods: "'GET,OPTIONS,DELETE'"
+              method.response.header.Access-Control-Allow-Origin: "'*'"
+              method.response.header.Access-Control-Max-Age: "'3600'"
+              method.response.header.X-Requested-With: "'*'"
+        RequestTemplates:
+          application/json: '{"statusCode": 200}'
+      MethodResponses:
+        - StatusCode: '200'
+          ResponseModels: {application/json: Empty}
+          ResponseParameters:
+            method.response.header.Access-Control-Allow-Headers: false
+            method.response.header.Access-Control-Allow-Methods: false
+            method.response.header.Access-Control-Allow-Origin: false
+            method.response.header.Access-Control-Max-Age: false
+            method.response.header.X-Requested-With: false
   SettingsServiceResource:
     Type: AWS::ApiGateway::Resource
     Properties:

resources/saas-boost.yaml

@@ -798,6 +798,7 @@ Resources:
         TenantServiceById: !GetAtt tenant.Outputs.TenantServiceByIdArn
         TenantServiceInsert: !GetAtt tenant.Outputs.TenantServiceInsertArn
         TenantServiceGetAll: !GetAtt tenant.Outputs.TenantServiceGetAllArn
+        TenantServiceDelete: !GetAtt tenant.Outputs.TenantServiceDeleteArn
         SettingsServiceGetAll: !GetAtt settings.Outputs.SettingsServiceGetAllArn
         SettingsServiceGetSecret: !GetAtt settings.Outputs.SettingsServiceGetSecretArn
         SettingsServiceDeleteAppConfig: !GetAtt settings.Outputs.SettingsServiceDeleteAppConfigArn